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Abstract. Let O be a maximal order in the quaternion algebra B p ramified at p and oo. Our main result 
is that, under certain conditions on a rank three sublattice O t of O, the order O is effectively characterized 
by the three successive minima and two other short vectors of O t . The desired conditions turn out to 
hold whenever the j'-invariant j(0) of the elliptic curve associated to the maximal order O lies in F p . We 
introduce Algorithm 1, which, given a maximal order O, computes j(O) using the reduction of Hilbert 
class polynomials to F p , and we use Theorem [T] to prove that Algorithm 1 terminates within running time 
0(p 1 ^ E ) under the aforementioned conditions. As an application we present Algorithm 2, with running time 
0(p 2 ' 5+E ), which is a more efficient alternative to Cervino's algorithm to simultaneously match all maximal 
order types with their associated j'-invariants. 
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1. Introduction 

Let p be a prime and E a supersingular elliptic curve over F p 2. Then End(-B) is a maximal order in the 
quaternion algebra B p ramified exactly at p and oo (all notation and definitions are explained in Section [5]). 
A special case of interest is when E is defined over F p , in which case End(-E) contains an element it such 
that 7r 2 = —p. 

Ibukiyama [llj has given an explicit description of all such maximal orders containing \J—p. For example, 
let p = 1 (mod 4) and let O be a maximal order in B p . Then there is a prime q = 3 (mod 8) such that 
(^) = —1, and an isomorphism <fi : B p — » Q + Qi + Qj + Qk where i 2 — —p, j 2 = —q and k = ij = —ji, 
such that 4>{0) = Z + Z(l + j) /2 + Z(i + k)/2 + Z(rj + k) /q where r is any integer such that q\ (r 2 +p). 

Consider the Z-module O t = {2x - Tr(x) : x e O} of rank 3 . Note that y e O t implies Tr(y) = 
and so O t is a subset of the pure quaternions. Fix a Z-module basis {wi, LU2, 1^3} for O t and consider the 
ternary quadratic form Q(x, y, z) = Nr(xtJi + yuj2 + ZUI3) giving a norm on O t . Kaneko |12| has shown, 
in the special case where y/— p 6 O t , that there is an element x € O t of norm at most ~^\/V- Let O' be 
another maximal order in the same quaternion algebra B p and let Q' be the ternary form associated with 
O' . A natural question is whether Q determines O. In other words, if Q' is equivalent to Q in the sense of 
quadratic forms then is O' isomorphic to 0? We will show that this is the case. Indeed, our main result 
(Theorem [1]) is much stronger: It states that if the forms Q and Q' have the same successive minima, plus 
some other mild conditions, then O = O' , and hence Q and Q' are equivalent. Schiemann |15) has shown 



that two ternary quadratic forms are determined by their theta series. Our result may be viewed as a strong 
form of Schiemann's theorem in the case where both forms arise from maximal orders in the same quaternion 
algebra. 

Our work is motivated by several computational questions about supersingular elliptic curves. One prob- 
lem is, given a maximal order O in B p , to compute an elliptic curve E over F p 2 such that End(_E) = O. A 
second problem is to compute a list of all isomorphism classes of supersingular elliptic curves E over F p 2 (or 
over F p in a restricted case) together with a description of End(-E). To solve both problems we use Hilbert 
class polynomials. The first problem does not seem to have been considered in the literature previously. 
Cerviho [I] has given an algorithm to solve the second problem that seems to run in 0(p 3+£ ) operations 
(or 0(p 2 ' 5+e ) in the restricted case over F p ); our approach leads to a superior running time of 0(p 25+£ ) 
operations (or 0(p 15+£ ) in the restricted case). However, the main focus of our paper is the theoretical 
result, and further details about the algorithms and applications may be developed in future work. 

2. Background 

We recall some basic notions, and introduce some notation that we use in the statement of our main result 
(Theorem [TJ). 

We let Bp be the quaternion algebra ramified exactly at p and at oo. A general reference for many of the 
facts in this section is Vigneras [19]. We recall that B p is a 4-dimensional division Q- algebra containing Q 
and equipped with the symmetric positive definite bilinear form Tr(xy) and the associated positive-definite 
quadratic form Nr(x) = ^Tr(xx). Every element x G B p satisfies its characteristic equation x 2 — Ti(x)x + 
Nr(x) = 0. We define B p the subring of B p of elements of zero trace. 

We let O and O' be orders of B p . We recall that an order is a subring of B p that contains Z and 
has 4 linearly independent generators as a Z-module. We recall furthermore that for all x G O, we have 
Tr(x), Nr(x) G Z. Finally, we say that O and O' are of the same type if there exists non-zero c £ B p such 
that cOc- 1 = O', and we let the total number of maximal order types be t p , the type number of B p . 

Unless otherwise stated, we will always assume that O and O' are maximal, i.e., neither is properly 
contained in any other order. Deuring showed that, associated to the maximal order O, there exists either 
one supersingular j-invariant j{0) G F p , or a conjugate pair j(0),j(0) G ¥ p 2, such that End(E(j(0))) = 
End(_E(j(C))) = O, where E(J) is the unique (up to isomorphism) elliptic curve with j-invariant j. 

For arbitrary vectors v\, V2, ■ ■ ■ ,v n of a general vector space V we denote by 

(vi,V2, ■ ■ ■ , v n ) := {aivi + a 2 v 2 + . . • + a n v n | a%, a%, . . . , a n G Z} 

the standard lattice generated by these vectors. 

We say that a non-zero lattice element x G A = (v±,V2,... ,v n ) is primitive if there do not exist y G A 
and a G Z such that ay = x and a ^ ±1. If x = a\V\ + . . . + a n v n . then x is primitive if and only if 
gcd(eti, . . . , a n ) = 1. We also say that an integer k is represented by A = (vi, V2, ■ ■ ■ , v n ) if there exists x G A 
such that Nr(ir) = k, in which case we also say that x represents k. Furthermore, we say that x optimally 
represents A: if a; is primitive. 

If k 7^ 0, we say that k is represented by A with multiplicity 9\(k), where 

0a(*) = 2#{( fl i' • • • 1 a n) G z ™ I Nr(oi«i + . . . + a n v n ) = k}, 
and likewise k is represented optimally by A with optimal multiplicity 9' A (k), where 

°A( k ) = ■ • ■ : a ") £ z " I Nr(oi«i + . . . + a n v n ) = fe,gcd(ai,. . . ,a n ) = 1}. 

The reason for the factor of | is to avoid counting both x and —x with Nr(x) = Nr(— x) = k, which are 
effectively the same representations. 

For a lattice A = (v%, v 2 , U3, U4) in B p we define its discriminant as D(A) = D(v\ 1 v 2 , V3, V4) = \ dct(Tr(wjWj))| 
(see Section 1.4 of [19]). It is a standard fact that for a maximal order O C B p , it holds that D(0) = p 2 
(see, for example, Corollary III. 5. 3 of Vigneras [T^]) . Note that the discriminant D(0) of an order O can 
also be computed as | det(Ti(viVj))\. 

We will often think of B p simply as an inner product space and forget its algebraic structure. To do this, 
we can find a Q-basis {1, r, p, rp} for B p such that r 2 = —p, p 2 — —q and rp — —pr, where q is a prime such 
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that q — 3 (mod 8) and — 1 (see, for example, Lemma 1.1 of Ibukiyama Then in particular, 

Nr(a + br + cp + drp) = o? + 6 2 Nr(r) + c 2 Nr(p) + d 2 Nr(r/9) for a, b,c,d£ Q. 
As such, we will embed B p into R 4 by the mapping 

(p : a + br + cp + drp H> ae\ + by/Nrfrjez + c\/Nr(p) e 3 + dy/Nr(Tp)e^, 

where are the usual orthonormal vectors in M 4 . We observe that <f> is indeed an isometry (the quadratic 
form on R 4 being understood as the square of the standard Euclidean norm). We note that this is not the 
only standard way to represent B p (see, for example, Proposition 5.1 of Pizer [14] for a different, but related 
representation). In particular, the above representation of B p is not the one used in the two examples of 
Appendix |A] 

For a n-dimensional lattice L in K m , let det(L), the determinant of L, be the square of the volume of L, 
i.e., if B is a basis matrix for L then det(L) := det(BB T ) = Vol(L) 2 . Notice that this is different to the 
more common definition of det(L) = ^/det(BB T ) = Vol(L). We will also say that the n successive minima 
of L are D\ , D2 , . . . , D n £ M such that Di is minimal such that there exist i linearly independent vectors 
vi, V2, ■ ■ ■ , Vi € L with ||wj|| 2 < Di for all j < i. Again we remark that our definition is the square of the 
more common definition where ||u,-|| < Di is taken instead of ||u,-|| 2 < Di. 

Likewise, for any lattice A C B p , the determinant, volume and successive minima of A are simply those 
of 0(A). We note that for a 4-dimensional lattice A C 5 p , we have 

(2.1) D(A) = 16 det(0(A)) 

since Tr(xy) — 2<fi(x)<f)(y) T . 

Under this notation, standard lattice bounds show that there is a minimal constant j n (called the n-th 
Hermite constant) such that 

n 

(2.2) det(i) < J[ Di < 7™det(L). 

i=l 

It is known that 72 = y '4/3 (see Section XL 5 of Siegel [15]). 

Definition 1. For an order O C B p , we define O t := {2x — Tr(x) | x £ O}. 

We remark that O t is a sublattice of fl B", and this inclusion is strict. The set O t is called the "Gross 
lattice" by some authors. 

For a negative discriminant —D {D = or 3 (mod 4)), we consider the imaginary quadratic order O-d '■ = 
+ V-D)] of discriminant -D. An embedding i : 0- D i-> O is called optimal if (Q (8) nO = 

i(0-D)- By a straightforward argument (see, for example, the beginning of Section 3 of Elkies et al. [7]), 
we see that there is a bijection between primitive elements of O t and optimal embeddings in the following 
sense: for every optimal representation of D in O t by a primitive element x G O t , there is a unique optimal 
embedding i : O-d l— ^ C such that i(\J —D) = x. and vice versa. Hence, whenever we talk of an optimal 
representation or primitive element, we will always associate to it the corresponding optimal embedding. 

Throughout the paper we will use the following notation. 

Definition 2. Let O and O' be two maximal orders in B p . Let O t and O lT be as in Definition [T] Let 
Di, D2,D% (respectively, D' l: D' 2l D' 3 ) be the successive minima of O t (respectively, 0' T ). Denote by x,y, z € 
O t elements such that D\ = Nr(x),Z?2 = Nr(j/),Z?3 = Nr(z). Similarly, denote by x',y',z' £ 0' T elements 
such that D[ = Nr(x'),£> 2 = Nr^'),^ = Nr(V). 

3. Main Result and Basic Properties 

Let notation be as above. We consider the following conditions on D\ , D2 and p. 

16 

(3.1) £>iD 2 < —p, 15 < D u and 286 < p. 

o 

Lemma [1] shows that these conditions hold in a significant number of cases. 

Lemma 1. Let p > 286 and let O be a maximal order in B p such that j(O) £ ¥ p . If 15 < D\ then 
conditions (|3.1j) hold. 
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Proof. Kaneko [H] proves (see the proof of Theorem 1 on pages 851-852) that if j(0) £ ¥ p , then there exists 
a 2-dimensional sublattice A of O t with determinant det(A) = 4p. Let d\ and e?2 be the two first successive 
minima of A. It is well known that the second Hermite constant is given by 7J = 4/3. Using this in f|2 . 2[) . we 
obtain that 4p < d\d2 < ^-p. Finally, since Di < di for i = 1, 2, it follows that DiD% < ^p as desired. □ 

We now state our main result. 

Theorem 1. Let O and O' be two maximal orders of B p and D\ = Nr(x), D2 = Nr(y), and D3 = Nr(z) be 
the three successive minima of O t as in Definition^ Suppose that D\, D2, Nr(a; + y), Nr(x — y) and D3 
are all represented optimally in O lT and that 9'q T {D^) < 0' o , T {D3). Assume furthermore that (J3TTJ) holds. 
Then O and O 1 are of the same type. 

We now describe the general strategy of the proof of Theorem [T] Under the conditions (|3.1[) . we show in 
Lemma [7] that if O lT optimally represents D\ and D2, then this implies that their first successive minima 
agree, i.e., D\ = D[. Then the fact that Nr(x + y) and Nr(x — y) are represented optimally in 0' T will imply 
that D2 = D' 2 and Nr(x + y) — Nr(x' + y'). This is Lemma [SJ As a result, by Lemma [HI we can conjugate 

by an appropriate element c €E B p , and assume that O t and O lT both contain (x,y). Finally, since D3 is 
also represented by O lT outside of (x, y), we show that z = ±z', and so O t and 0' T are isometric. This is 
done in Lemma [T2"l We finally conclude by Lemma [3] that O and O' are indeed of the same type as desired. 

We first develop some basic results that shall be used throughout the proof. As already noted, the 
discriminant of a maximal order O £ B p is p 2 . We have the following basic result on the determinant of O t 
which follows directly from standard linear algebra. We state and prove it here for the sake of completeness. 

Lemma 2. Let O be a maximal order of B p . Then dct(C T ) = Ap 2 . 

Proof. Since D(Q) = p 2 , equation ||OJ implies det(O) = and Vol(O) = y/det(0) = f . Let O = 
(1, Ui, 112, U3), and consider 0\ := (1, 2ui, 2m 2 , 2m 3 ). Since Tr(uj) € Z, we define := 2?ij — Tr(uj) for 

1 < i < 3 and observe that 0\ — (l,v 1 ,V2,v 3 ). We claim that O t = (vi,V2,v 3 ). Indeed, we clearly have 
(v%, V2, V3) C O t . Conversely, for any x g O. we let x — a + J2i=i a i u i f° r some o,, ai g Z, and so 

333 
2x — Tr(x) = 2a + 2 a^i — 2a — aiTr(ui) — aiVi € (v\, V2, V3}. 

i—l i—1 i—1 

Hence O t C (v\, V2, V3), and it follows that O t — (vi, V2, V3) as claimed. 

To conclude the proof, we observe that 1, u\, U2, U3 form a Q-basis for B p , and so </<(l), 4>(u\), 0(^2), ^(^3) 
form an R-basis for R 4 . As a result, 

Vol(d) = 8Vol(C) = 2p, 

where the first equality comes from the fact that we have doubled three of the vectors in the basis of <f>(0) 
to obtain 4>{Oi). Now since 0(1) = e\ has length 1 and is orthogonal to <fi(vi), 4>{v2) and 0(i> 3 ), we see that 

det(G T ) =det««i,«2,«a)) = Vol((0( Wl ), 0( U2 ), 0( U3 ))) 2 

= Vol« ei ,^i), 4>(v2), <P(v 3 ))) 2 = VoKd) 2 = 4p 2 , 
as claimed. □ 

It is well known (see Section XI.6 of [16 ) that the third Hermite constant 73 is given by 73 = 2. As the 
determinants of O t and 0' T are 4p 2 , the bounds from (12.21) tell us that 

(3.2) 4p 2 < D^Ds, D'^D'z < 8p 2 . 

As a consequence of the upper bound, we observe that (x, y, z) cannot be a strict sublattice of O t . This is 
because the volume of a lattice A always divides the volume of any sublattice A' C A, with Vol(A) = Vol(A') if 
and only if A = A'. Hence if (x, y, z) ^ C T , then Vol((x, y,z))> 2Vol(C), and so D 1 D 2 D 3 > det((x, y, z)) > 
4det(C T ) = 16p 2 , which contradicts p.2p . Likewise for (x',y',z'), and as a result, we have O t = (x,y,z) 
and0' T = (x',y',z'). 

We now observe that since x and y represent the first two successive minima of O t , we have Nr(x + y) — 
Nr(x) + Nr(y) + Tr(xy) > Nr(y) and likewise Nr(a; - y) = Nr(x) + Nr(y) - Tr(xy) > Nr(y). We hence 
must have |Tr(xy)| < Nr(a;) = D\, otherwise one of these two inequalities would not hold. Hence we let 
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Ti(xy) — [iD\ for some < 1, and WLOG we will take — 1 < \i < (as otherwise we swap the sign of 
either x or y). Similarly we will let Th:(x'y') = XD[ with — 1 < A < 0. 
Unless otherwise stated, we henceforth always assume 

(3.3) D' 2 < D 2 and 



(3.4) 8 < Di (which in particular holds true under conditions (|3.1t ). 
Lemma 3. Let notation be as above. Then — 1 < /x, A < and D\ ^ D 2 . 

Proof. We first show that the cases /j, = — 1 and A = — f arc impossible. If /i = — f , then Nr(y) = Nr(a; + y). 
Hence D 2 would have two different optimal representations in O t , and so Theorem 2' of Kaneko [T^] implies 
that D 2 > p 2 . As I?3 > D 2 and we are assuming (|3.4[) . this would imply that D\D 2 D 3 > 8p 2 , which 
contradicts (J3T2J) , and so /x = — f is indeed impossible. Similarly if A = —1, then D' 2 > p 2 . By (13 . 3|) this 
would imply D 2 > p, and we again reach the same contradiction. The same application of Kaneko's result 
tells us that D x ^ D 2 . □ 

We derive one final important inequality. We observe that in the proof of Theorem 2', page 853 of [12] . 
Kaneko proves that p must always divide the quantity j(DiD 2 — (2s — DiD 2 ) 2 ), where s = Tr(ai«2) and 
where for us, a\ = ^(x + D\) and ol 2 = ^(y + D 2 ). It is straightforward to verify that 

s = -^D 1 + ~D 1 D 2 . 

Substituting this value for s, we find that Ap divides Di(D 2 — ^Di). The same result applies to O lT (which 
is actually where we will use it), and so defining M := D[(D' 2 — ^-D[), it follows that 

(3.5) 4p < M. 
We remark that the above with (|3.2p gives 

(3.6) 4p < D X D 2 and D 3 < 2p, 
and so in particular under conditions (|3.1[) . 

(3.7) 4p < Z?!^ < fp and \p < D 3 < 2p. 

The following lemma allows us to characterize the conjugacy classes of B. p . For any x,y € B p , we write 
x ~ y if there exists non-zero c £ B p such that cxc~ x = y. 

Lemma 4. For all x,y € B p , it holds that x ~ y if and only if Tr(x) = Tr(y) and Nr(x) = Nr(y). 

Proof. This follows from the Skolem-Noether Theorem, see Theorem 1.2.1 of Vigneras [19J or Theorem 5 (on 
page 10) of Eichler [6] (note that Eichler calls it Wedderburn's Theorem). □ 

For an order O, we remark that by writing O t — (v±, v 2l v 3 ) as in the proof of Lemma[21 it is not difficult 
to see that O = {x E 1/2(1, O t ) : Nr(x) £ Z}. From this observation we obtain the following lemma which 
tells us that O is characterized by O t . 

Lemma 5. Two orders O.O' C B p are of the same type if and only if O t ~ /T , i.e., there exists non-zero 
c£ B p such that cO T 'c" 1 = O lT . 

Proof. It is clear that if cOc" 1 = O', then cO T c' 1 = O lT . Conversely, assume that cO T c~ x = O lT . By 
conjugating O by c, we see it suffices only to prove that if O t = O lT , then O and O' are of the same type. 
But from the above observation, if O t = O lT , then (1, O t ) = (1, O lT ) and so in fact we obtain O = O' . □ 



4. Proof of Theorem [T] 



We now begin to prove the more technical lemmas which will be used in the proof of Theorem [TJ The 
following lemma will only be used in the context of maximal orders, but we remark that it can be readily 
generalized to all 2-dimensional lattices. 

Lemma 6. Under the condition /i,Ae (—1,0], x + y is the next shortest element of(x,y) after ±y which is 
not in (x), and likewise x' + y' is the next shortest element of (x' , y') after ±y' which is not in (x'). 

Proof. We need to check that Ni(ax+by) = a 2 Di+b 2 D 2 +abpDi will always exceed Nr(x+y) = Di+D 2 +pDi 
for a, b € Z unless a = b = ±1. 

The case a = is trivial since x + y is strictly shorter than 2y. So we assume that a > 1 (otherwise swap 
a, b with —a, — b everywhere). 

We have a 2 D 1 + b 2 D 2 + abpD x = aDx(a + 6/i) + b 2 D 2 . So if a + bfi > then for |6| > 2 we have 

aDi(a + bp) + b 2 D 2 > b 2 D 2 =D 2 + D 2 (b 2 - 1) > Nr(a; + y). 

And if a + bfj, < then < a < b and — ab < a(a + 6/x), and so for b > 2 we have 

aDi(a + bp) + b 2 D 2 > bD 2 (b - a) > 2D 2 > Nr(x + y). 

Hence we are left with the case |6| = 1. We now no longer assume a > 1, but instead WLOG assume 
6 = 1. It is clear that for \a\ > 2 it holds that 

D 2 + a(a + n)Dx > D 2 + 2D X > D 2 + D x > Nr(x + y). 

Hence we only have to consider \a\ — 1 and clearly we have Nr(x — y) > Nr(x + y) (with equality only if 
fj, = 0), and so indeed x + y is the next shortest element of (x, y) after ±y which not in (x) as claimed. The 
same exact argument applies to x' + y' . □ 

The following lemma is the first of three technical lemmas, being Lemmas [71 [S] and fTJl In these three 
lemmas we require bounds on D\, D\D 2 , and sometimes on p. The bounds required by the following 
Lemma [JJ are the strictest and, unlike in Lemmas [5] and I12[ we have not yet found a way to loosen them. 
If the bound on D\D 2 in the following lemma can be loosened, then the restrictions imposed in Theorem [T] 
can be loosened as well. 

Lemma 7. Let 0, 0' C B p be two maximal orders as in Definition [U Assume D\ and D 2 are both 
represented optimally by O lT . Then D\ — D[ provided that 

16 

(4.1) L>iL> 2 < --P and 

(4.2) 8 < Dx. 

Proof. We first prove that the vectors of O lT which optimally represent D\ and D 2 lie in (x',y'). Since Di 
and D 2 are represented optimally by O' , we must have D[ < D\ and D' 2 < D 2 . Hence by (|4.1[) we have 
D[D' 2 < DiD 2 < Ifp, and so from $£2$ we have 

3 4p 2 

4 p< rW 2 - D3 - 

Since the norm of the shortest element in O lT outside (x',y') is D' 3 , if D 2 is represented outside (x',y') then 
jp < D' 3 < D 2 and hence D\ < < ^ < 8 which contradicts (|4.2[) . So D 2 cannot be represented outside 
(x',y'}. Clearly D\ cannot be represented outside (x',y') either. 

We now assume D\ = Nr(ax' + by') with 6^0. This implies in particular that D' 2 < D±, and so by (|4. 1[) 
we have 

(4-3) D> 2 < A^p. 

From Lemma [6l we know that x 1 + y' is the next shortest element after ±y' in (x',y r ) \ (x'}, and we 
recall from Lemma [3] that A e (—1,0] and D\ ^ D 2 . The latter implies that D\ and D 2 must have different 
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optimal representations in O lT , and so it follows that Nr(x' + y') = D' 2 + (1 + X)D[ < D 2 . Combined with 
D' 2 < D\, we have that 

(4.4) D 2 (D' 2 + (1 + X)D[)<D 1 D 2 < ^-p. 

We recall the definition M — D\(D' 2 — ^-D[), and we will show that M < Ap under the constraints 
D'i < min{D 2 , j^j {jfiy ~ D'^}, where the second term in the min comes from (|4.4I) . and this will be a 
contradiction to (|3 . 5|) . 

We consider two cases depending on whether or not D' 2 < j-pj \ ~ D'^j • Note that this happens when 
(£> 2 ) 2 (2 + A)<16f>/3. 

First note that M is maximised when D[ is as large as possible. In the case (D' 2 ) 2 (2 + A) < Wp/3 this 
means D[ = D' 2 and so 

M < D' 2 < — p < 4». 

- 2 \ 4 y - 3 + 2 V. 4 / 

In the case (D' 2 ) 2 {2 + A) > 16p/3 we take D[ = ^ - D'^ . Writing 7 = (D' 2 ) 2 we have 

(4.5) M£ —^(f p -^( llX + 2f -Sf p 



The RHS of (|4.5|) is subject to the constraints 7 = D' 2 < D\ < ^-p (which comes from (|4.3|) ) and 3 ^J r2 - ) P < 7- 
It is then routine to verify that the RHS of (|4.5[) is maximized when 7 is minimal, i.e., 7 = gr^paj P (a simple 
way to verify this is to compute the partial derivative of the RHS of (|4.5p with respect to 7 and observe that 
it is negative when ^x+te ^ lO" Substituting 7 = 3 (^ 2 ) P ^ e RHS of (|4.5|) reduces it to |(2 — A)p, 
which for A e (—1,0] is always less that Ap. 

Hence, in both cases, we obtain that M < Ap, which contradicts (|3.5[) . In conclusion, if D\ and £>2 are 
both represented optimally by O lT with D\ — Nr(ax' + by'), then we must have 6 = and it follows that 
a = 1 and D 1 = D[. □ 

Lemma 8. Let O, O' C B p be two maximal orders and let notation be as in Definition® Assume D\ = D[ 
and that D 2 , Nr(x + y) and Nr(x — y) are all represented optimally by 0' T . Then x ~ x' , y ~ y' and 
x + y ~ x' + y' (from which it will follow that (x, y) ~ (x', y') 6y Lemma [P|) provided that 

(4.6) < 7p, 

(4.7) 15 < Di, and 

(4.8) 286 < p. 

Proof. In light of Lemma @J it suffices to prove that D 2 = D' 2 and Nr(x + y) = Nr(x' + j/) since all vectors 
in question have zero trace. 

Recall that Nr(x +y) = (1 + /i)L>i + £> 2 and Nr(x' + y') = (1 + A)L»i + D' 2 where -1 < /i, A < 0. To avoid 
trivial cases later on, we first prove that ji, A 7^ 0. From Lemma [SJ we know that Nr(x + y) < Nr(x — y), 
and if equality held, then Nr(x + y) = Nr(x — y) = D\ + D 2 . which by Theorem 2' of [12] implies that 
(Di + D 2 ) 2 > p 2 and so D\ + D 2 > p. As D3 > D 2 . this in turn implies 

DiD 2 D 3 > D X D 2 >D x {p- D x ) 2 > 8p 2 , 

where the last inequality is true for 15 < Di < y/7p and p in (|4.8|) . which contradicts f|3 . 2|) . As a result 
Nr(:r + y) < Nr(x — y) which is indeed equivalent to /i € (—1, 0). The same exact argument (keeping in mind 
that D[ = Di) shows that A ^ 0, and so indeed we have that fi,X g (—1, 0). 

Now we prove that the vectors in O lT which represent Nr(x), Nr(y), Nr(a; + y) and Nr(x — y) all lie in 
(x',y'). The longest of these vectors, x — y, has norm (1 — /i)-Di + D 2 < 2Di + D 2 , which from (|4.6|) and 
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P~7j) . is bounded by 2D X + D 2 < 30 + ||. On the other hand, from D' 2 < D 2 we obtain D[D 2 < 7p, and 
hence we have that |p < £? D , < D' 3 from (|3.2p . This implies that for p in (14.811 we have 

(4.9) 2D 1 + D 2 <50+^<^p<D' 3 . 

Since £>g is the norm of the shortest element of O outside (x' , y'), we see that none of D\, D 2l Nr(x + y). 
Nr(a; — y) can be represented outside (x',y'). 

Hence assume D 2 = Nr(ax' + by'). Remarking that a(a + bX) > — (4£) , and recalling that D\ = D[ by 
assumption, we obtain 

D 2 = a 2 D[ + b 2 D' 2 + abXD[ = aD[(a + b\) + b 2 D' 2 > b 2 D' 2 - ( — J D u 

which implies D' 2 < ^D 2 + ^D x . Hence by flU]), for |b| > 2 we have 

M = D> lD > - *ZJ? < D X (±D 2 + ^) -^D\ = ^l< 4p, 

which contradicts (j33]), and so we must have |6| = 1. WLOG (changing the sign of a if necessary), we can 
take 6=1. 

Now let Nr(a; + y) = (1 + fi)Di + D 2 = Nr(cx' + dy') = c 2 D[ + d 2 D' 2 + cdXD[. Remarking as before that 
c(c + dX) > - (^) 2 , we obtain 

Nr(x + y) = D 1 (l + ri + D 2 >d 2 D 2 - D[. 
This with (|4.6p implies that, for \d\ > 2, we have 

which again contradicts (|3.5[) . and so we must have \d\ = 1. WLOG (changing the sign of c if necessary), we 
can take d = 1 . 

Since D\ = D[ and b = d = 1, we have 

(4.10) L> 2 = a(a + A)£>i + D' 2 and 

(4.11) L> 1 (l + A i)+ J D 2 =c(c + A) J D 1 + J D 2 . 

We observe that a ^ c since otherwise /i = — 1, which is impossible from before. So subtracting (|4.10[) 
from (|4.1ip . factorizing and dividing, gives us 

(4.12) i±ii = a + c + A. 

c — a 

We observe that if a = then 1 + /i = c(c + A), where the LHS is in (0, 1), which implies from the RHS that 
c = 1. But this implies that D 2 — D' 2 and Nr(x + y) — Nr(x' + y') as desired, and we conclude by Lemma|U 

So we assume now that a ^ 0. We note that if a = 1, then (14. 12)) becomes = c(c+A) — 1 — A, from which 
we see that the only possible solution (since the LHS is again in (0, 1)) is c — —1 and A = — ±^ e (—4,0). 

We now claim that 

(4.13) D 2 < 7 -D' 2 . 
Indeed, if this was not the case, by (|4.6[) we would have 



M < D\D' 2 <^D 1 D 2 < 4p, 



which contradicts (|3.5|) . 



Now (|4~T3"j) and P~TUj) imply that a{a + X)D 1 + D' 2 = D 2 < jD' 2 . We remark that a(a + A) > for all 



integers o^O. Hence we have 
(4.14) D 1 < 



3D> 2 



4o(a + A) ' 

Now let Nr(a; - y) = (1 - fi)Dx + D 2 = Nr(ex' + fy') = e 2 D[ + f 2 D' 2 + efXD[. We remark that 
e 2 + Xef > - \ , and so with (|4.14p . we have 

d 2 > fn> + ( - ( M) 2 _ (1 _ M) ] A > D > ( /2 _ _JL_ ( , _ „ + *V 



(4.15) =^(/ 2 (l- ^ 3(1 ~ M) 



16a(a + A)/ 4a(a + A), 

We observe that for all A e (—1, 0) and a £ Z, with o^O. and with A £ (—1/2, 0) when a = 1, it holds that 

6 = 1 3 j^— > 0. 

16a(a + A) 

Hence for all |/| > 2, it holds that 

(4.16) D 2 >D' 2 U-^-^\>D' 2 U + 



4a(a + A) / ~ \ 4a(a + A) 

By separating into the cases a < —2, a = — 1, a = 1 and a > 2, it can be readily checked that for A, \i € (— 1, 0) 
and a El, with a ^ 0, and with A = — : when a = 1, it holds that 

1 - fj, + A 2 5 
a(a + A) ~ 2' 

with equality only in the case that a — 1 and /i = 0, A = — i. As a result, 

Di>D> (4-f)>^, 

which contradicts f|4. 13|) . We conclude that |/| > 2 is impossible, and hence WLOG, we take / = 1. 
We now have 

(4.17) £>i(l — fx) + D 2 = eDi(e + A) + D' 2 . 

Viewing (|4.10p and (|4. 1T[) . we observe that e ^ a, as otherwise we would have fi = 1, which is impossible. 
Hence subtracting (|4. 10|) from (|4.17|) we obtain 

(4.18) — ^=a + e + X. 

e — a 

Viewing this in conjunction with (|4.12l) . we wish to find the possible solutions to (14. 12)) and (|4. 18|) with 
8,c,eeZ,a/0, and A, /i E (—1, 0). 

We observe that if e — a = 1 then the LHS of (14. 18)) is in (1,2), which implies a + e = 2. However this 
implies 2e = 3, which is impossible. If e — a = —1, then the LHS of (|4.18[) is in (—2,-1), which implies 
a + e = — 1. However this implies e = — 1 and a = 0, and we already saw that a = implied the result of 
the theorem. 

So we are only left to consider the case that |e — a| > 2. If e — a > 2, then the LHS of (|4.18|) is in 
(0, 1), which implies that a + e = 1. If e — a < —2 then the LHS of (|4.18|) is in (—1,0), which implies that 
a + e = 0. Exactly the same reasoning applies to (|4.12[) with e replaced by c. As a result, we have the 
following implications: 

c-a>2=^a + c= l=^l-2a>2=^a<0, 

c - a < -2 =^> a + c = => -2a < -2 =^> a > 0, 

e - a > 2 a + e = 1 =>• 1 - 2a > 2 a < 0, 

e - a < -2 =^> a + e = =^> -2a < -2 a > 0, 
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with other values for c — a and e — a being impossible. 

From this we see that if a > 0, then the only possibility for e and c is e = c = —a, and if a < 0, then the 
only possibility is e — c = 1 — a. In either case we obtain e = c. But together with (14. 12)) and (|4. 18|) . this 
implies that 1 + fj, = 1 — fi and so fi = 0, which we excluded earlier. 

We conclude that the only possible solution to D2 — Nr(ax' + by'), Nr(x + y) = Nr(cx' + dy') and 
Nr(a; — y) = Nr(ex' + fy') isa = 0, b = 1. c = 1, d = 1, e = — 1, / = 1 (and the corresponding negative 
solutions if we wish to change signs). This implies by Lemma|3]that y ~ y' and x + y ~ x' + y' as desired. □ 

Remark 1. The bottleneck in the proof was in (|4.9[) . which we used to show that Nr(x — y) could not be 
represented outside (x' , y'). In this inequality, we see that the bound (|4.6[) could be replaced by D1D2 < mp, 
where m is such that m < VoO. An appropriate change to (|4.8|) would then also need to be made. It can 
easily be verified that all other inequalities in the proof will hold for all such to, so indeed (|4.9|) is the limiting 
factor in the proof. Since D1D2 < -yj? is already the limiting factor in Lemma we used the bound 7p in 
Lemma [5] for sake of simplicity. 

Remark 2. Departing from the assumption D\ = D[, it becomes easier to show our desired result, in the 
sense that the bound D1D2 < ^§-p from Lemma [7] can be loosened to D1D2 < mp for to as in Remark [T] 
This seems a little strange, as intuitively, D± = D[ should be the most obvious condition which should be 
satisfied. Furthermore, the proof of Lemma [7] did not use the assumption that Nr(x + y) and Nr(x — y) 
are also optimally represented by >T . This suggests that there could be an alternative way to prove that 
D\ = than in Lemma [7J and hence to loosen the conditions imposed by Theorem [T] 

Lemma 9. Let 0,0' C B p be two maximal orders and let notation be as in Definition^ Assume that 
x ~ x' , y ~ y' and x + y ~ x' + y' . It follows then that (x,y) ~ (x 1 ,y'), i.e., there exists non-zero c €E B p 
such that c(a;,?/)c~ 1 = (x',y'}. 

Proof. As Tr(C T ) = Tr(C T ) = 0, for all r e O t and r' £ C T , it holds that r ~ r' if and only if 
Nr(r) = Nr(r') by Lemma |U It follows that 

Nr(x') + Nr(y') + Tr^'y 7 ) = Nr(x' + y 1 ) = Nr(x + y) = Nr(x) + Nr(y) + Tr(xy), 

and we obtain Ti(xy) = Tr(x'y'). 

We recall that for any u, v £ B p , we have 

uv + vu = Tr(u)v + Tr(v)u + Tr(uv) — Tt(u)Tt(v). 

From this, it follows that (1, x, y, xy) and (l,x',y',x'y') are both rings (we simply need to check that the 
product of any two generators stays within the lattice), and hence they are both orders. Furthermore, 
since x = —x, y = —y and Tr(xy) = Ti(x'y'), we obtain that these orders are isomorphic under the natural 
mapping ip : a + bx + cy + dxy i-> a + bx 1 +cy' + dx'y' . Since all isomorphisms of orders come from conjugation, 
we know that there exists non-zero c € B p such that c(l, x, y, xyjc^ 1 — (1, x 1 , y', x'y'), and in particular, the 
conclusion of the lemma follows. □ 

The previous lemma simplifies the situation, in that we can conjugate O by an appropriate element c G B p 
and hence assume that x — x' and y = y' . It remains to deal with D3. 

Lemma 10. Let 0,0' C B p be two maximal orders and let notation be as in Definition^ Suppose that 
x = x' and y = y' . Suppose furthermore that there exists w £ O lT , w (£. (x,y), such that Nr(u>) = D3. It 
holds then that O lT = (x,y,w), i.e., {x,y,w} forms a Z-basis for O lT . 

Lemma [10] is true for any two 3-dimensional lattices of equal determinant defined over a space with a 
positive bilinear form, but we will only use it in the context given above. 

Proof of Lemma \1(A Consider the 2-dimensional subspace 

(4.19) (x, y) 1 - := {v £ B p \ Tr(ra) = Tr(i;y) = 0}. 

As x,y have zero trace, we see that Q C (x^)- 1 , and so we can suppose (x, y) has Q-basis {l,i>} with 
Tr(u) = 0. Let u £ (x^y) 1 - be the projection of z onto (x^y) 1 - (that is, u — 2^1 (J) ^3 = Nr(z') be 
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the third successive minima of O lT as usual. Let u' £ (x, y) 1 - be projection of z' onto (x, y) . Then we have 
(recalling that the determinant is the square of the volume of a lattice) 

(4.20) det((x, y))Ni(u) = det(C T ) = det(C T ) = det«ar, y))Nr(u')- 

Since u,u' £ (v), we note that this implies u — ±u' . Now we observe that 

det(C T ) < det((a;,y))Nr(z) < < 2det(C T ), 

from which it follows that 

On the other hand, as D% is represented by w € O IT = (x, y, z') outside of (x, y), we have that w = ax+by+cz' 
for some a,b,c £ Z, c ^ 0. Therefore 

det(0 T ) 

D 3 = Nr(w) = Nr(ax + by + cz') > c 2 Nr(u') = c 2 



det((x,y))' 

where the last equality comes from (|4.20l) . Combined with (|4.2ip . this implies that c = ±1, and the conclusion 
follows. □ 

The following lemma will be used in Lemma 1121 

Lemma 11. Let u,v £ O t . It then holds that uv — ^Tr(uv) £ O t n (u,v) , where (u, v) 1 - is defined in 

Proof. We observe that Tt(uvu) — Tr(uvv) = since both u and v have zero trace. So we have uv £ (u, v) , 
and since Q c (u, v)- 1 , it follows that indeed uv — ^Ti(uv) £ (u, v)- 1 . 

Now let u = 2a - Tr(a),v = 2b - Tr(b) £ O t for some a,b£0, and define t := 2ab - Tr(a)6 - Tr(6)a £ O. 
It is easy to verify that 

uv-2t= Tr(a)Tr(6) £ Q. 

It follows that uv - iTr(uw) = 2t - Tr(t). Since 2t - Tr(t) £ O t , this implies that uv - Tr(uw) £ O t as 
desired. □ 

Lemma 12. Let 0,0' C B p be two maximal orders and let notation be as in Definition^ Suppose that 
x = x' and y = y' . Suppose furthermore that there exists w £ O lT , w ^ (x,y), such that Nr(w) = D$. It 
then holds that z — ±z' (from which it follows that O t = >T ) provided that 

(4.22) D X D 2 < yp, 

(4.23) 15 < Di, and 

(4.24) 168 < p. 

Proof. As in the proof of Lemma 1 1 01 we let u and u' be the projections of z and z' onto (x, y) , Hence, 
z = (ax + j3y) + u for some a, f3 £ Q, and since x,y,z £ O t , it follows that u = —u and so u £ O t , and 
similarly for z' . We are in the same situation as Lemma 1101 and in particular (|4.20p holds, which implies 
u = ±u'. By changing sign of z' if necessary, we can WLOG assume u = u' . Furthermore, we know by 
Lemma HUl that O lT = (x,y,w), and so WLOG the projection of w onto (x^y) 1 - is also u. 

We let s := xy — hTt(xy), which by Lemma HT1 lies in O t n (x^y) 1 - and in O lT fl (x, y) . We hence let 
s — ax + by + cz and s = a'x + b'y + c'w for some a, 6, c, a', c' £ Z. 

Since s £ (x, y) , and u is the projection of z and w onto (a;, y) , it holds that s = cu = c'u, which 
implies c = c' . Furthermore, we have that 

(4.25) Nr(ax + by) = Nr(s - cz) = Nr(s) + c 2 Nr(z) - cTr(sz) and 

(4.26) Nr(a'ir. + b'y) = Nr(s - cw) = Nr(s) + c 2 Nr(w) - cTr(suJ). 



The fact that the projections of z and w onto (x, y) are equal, implies that Tr(sz) = Tr(siu). We also 
recall that Nr(z) = D 3 = Nr(w) . Together with p~25|) and (|4~2%| , this implies that 

(4.27) Nr(aa: + by) = Nr(a'a; + b'y). 

We will now show that Nr(ax + by) cannot be too large and then apply Theorem 2' of [T2] to conclude 
that ax + by = ±(a'x + b'y). Recall that u = —ax — j3y + z, for some a, fl € Q. We claim that the closest 
element to ax + /3y in the lattice (x,y) is 0. Indeed, suppose a non-zero element k € (x,y) was closer to 
ax + j3y than and consider the element z + k. Then Nr(— z — k) = Nr (it) + Nr(ax + j3y — k). However 
we then obtain Nr(ax + /3y — k) < Nr(ax + fly), since ax + fly is closer to k than to 0. But this implies 
Nr(— z — k) < Nr(z), and since — z — k is outside of (a;, y), this contradicts the fact that z represents the third 
successive minima of O t . Hence, is the closest element of (x, y) to ax + fly as claimed. It is well known 
that the covering radius p(A) of a lattice A is always bounded by p(A) < er(A)/2, where er(A) is the length 
of the diagonal of the orthogonal parallelepiped of A (see, for example, Theorem 7.9, page 138 of Micciancio 
and Goldwasser [9j. As a result, we have that 

Nv(ax + fly) < p((x, y)) 2 < ±a({x, y) f < ^(D 1 + D 2 ). 
Since s = cu, it holds that a = ca and b = cfl, and so 

c 2 

(4.28) Nr(ax + by) = c 2 Nr(ax + fly) < — (£>! + D 2 ). 
We now bound c. By (|3.2p . we have that 

X -D X D 2 D Z < 4p 2 = deb{{x,y,z)) < Di£>aNr(tt). 
It follows that D3 < 2Nr(it). Furthermore, we observe that 

c 2 Nr(it) = Nr(s) = Nr(xy - ^Tr(xy)) < Nr(xy) = D^D 2 . 

Hence 

(4.29) D 3 < %D x Di. 

On the other hand, by (|4.22j) and (|3~2|) . we obtain 

9 3 4» 2 

^■ 3 °) 64^ 2< 4 P< ^k^ 

Combined with (|4.29|) . this gives us c 2 < ^ < 15. As c 6 Z, this implies that c 2 < 9. Therefore, from 
(029), we obtain 



(4.31) Nr(ax + by) < -(D 1 + D 2 ) < -(15 + -ff) < p, 

4 4 15 

where the last two inequalities follow from (|4.22|) . (|4.23p and (I4.24p . However, since Nr(a'x + b'y) = Nr(acc + 
by) from (|4.27p . we obtain by Theorem 2' of [T^j that ax + by = ±(a'x + b'y), and so z = ±z' as desired. □ 

Remark 3. As in the discussion of Lemma [5] in Remark [TJ we can loosen the bound (|4.22[) to D\D 2 < mp, 
where m is such that m < \/32. This maintains the fact that (|4.29|) and (j4.30[) imply the inequality c 2 < 16. 
It can be readily checked that for all m < V32, all other inequalities in the proof hold for sufficiently large 
p. We could even increase m above a/32, thus losing the implication that c 2 < 16, but changing (|4.23j) 
to M(m) < Di, for M(m) sufficiently large and dependent on m. The important fact to check would be 
that the corresponding version of (|4.31[) is still bounded above by p for our choice of m. However, since 
D\D 2 < ^p and 15 < D\ are already the limiting factors in LemmaEl for simplicity we have chosen to take 
m = here too. 

Proof of Theorem^ Assume that D%, D 2 , Nr(x + y), Nr(x — y) and D 3 are all optimally represented in O lT 
and that 0' OT {D 3 ) < 9' , T (D 3 ). From Lemma [HI we know that D[ — D±. Hence, from Lemma HI we have 
that y ~ y' and x + y ~ x' + y' . By consequence, from Lemma [9l by conjugating O' by an appropriate 
element c € B Pl we can assume that (x,y) — (x'.y'). Now, in order that 9' OT {D 3 ) < 6' , T {D 3 ), we require 
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that D3 is represented in O lT outside of (x, y). Hence, by Lemma H"2l we must have O t — 0' T . By Lemma[5J 
this implies that O and O' are of the same type as desired. This completes the proof of Theorem Q] 

□ 

5. Algorithm to Associate Elliptic Curves to Maximal Orders 

In this section we consider the following problem: Given a maximal order O C B pi to compute an elliptic 
curve E/¥ p 2 such that End (£7) = O. Our approach is to determine j(E) using Hilbert class polynomials. 
We give a general method, but we are only able to prove that this method terminates when conditions (|3.1j) 
hold (e.g., when ^J~^p £ O and so j(E) £ F p ). 

Let H-d(X) £ ¥ p [X] be the Hilbert class polynomial of discriminant — D reduced modulo p (see Section 13 
of Cox [5]). We recall that H_rj(X) £ Z[X] is the polynomial whose roots are the j-invariants of the elliptic 
curves over C possessing the quadratic order O-d = Z[i(£> + \/—D)] as their endomorphism ring. 

Note that if y/—p £ O then O can be written in a canonical form given by Ibukiyama [IT]. For example, 
when p = 1 (mod 4) then there exists a prime q and an integer r such that q | (r 2 + p) and such that O is 
isomorphic to an order with Z-basis {1, (1 + j)/2,i(l + j)/2, (r + i)j/q} in the quaternion algebra defined 
by i 2 = —p,j 2 = —q and ij = —ji. In the case p = 3 (mod 4) there are two such families of orders. Note 
that j(E) £ F p is a root of H- P (X) and either H- q (X) or H-i q (X). When q is small this already gives an 
efficient way to determine j(E), however we cannot assume that q is always small in Ibukiyama's result. 

The idea of the algorithm is to find several small norms d%, d%, . . . , d n of primitive elements in O t , and to 
note that (X - j(E)) is a factor of gcd(H_ dl (X), H_ d2 {X),..., H_ dn (X)). Theorem [Q shows that if (|3"TT]) 
holds, then the algorithm is guaranteed to terminate within a bounded time. The condition (I3.1[) holds in 
particular when j(0) £ ¥ p . Some examples of the use of the method are given in Appendix |A"1 

The above sketch is made precise in Theorem [5] and Algorithm 1. We first remark that if O has a unit 
(element of norm 1) other than ±1, then it is known that j(0) £ {0, 1728}. Precisely, j(0) — if there is 
a unit of (multiplicative) order 3 or 6, and j(0) = 1728 if there is a unit of order 4. So these cases pose no 
problems in identifying j(O). In the following theorem, the cases d = 3 and d = 4 would have corresponded 
to non-trivial units of O when j(0) = 1728 and j(0) = respectively. 

Theorem 2. Assume that O has no units other than ±1. Then d > 4 is represented optimally by O t with 
optimal multiplicity m if and only if j(O) appears as a root of H- d (X) £ ¥ p [X] with multiplicity em, where 
e = 1 or 2 according to whether p is inert or ramified in ~d), i.e., p does not divide or does divide the 

discriminant Aq/^/^j) respectively. 

Proof. This can be viewed as a special case of Lemma 3.2 of Elkies et al. [7], where the maximal order has no 
non-trivial units, and so the equivalence class of any optimal embedding i is simply i itself. We may assume 
p is inert or ramified because if p splits then the roots of H_ d (X) correspond to ordinary elliptic curves. □ 

We will use Theorem [5] to distinguish orders that have different optimal multiplicities for some integer d n . 
We use derivatives to achieve this; recall that if a polynomial p(X) over a field F has xq £ F as a root with 
multiplicity m > 1, then it holds that p'(X) has xq as a root with multiplicity m — I. 

Algorithm 1 

Input: A Z-basis of a maximal order O C B p . 

Output: The minimal polynomial of the j-invariant(s) j(0) £ ¥ p 2 such that End(E(J(0))) = O. 
Procedure: 

(1) If O has a unit other than ±1, output the polynomial corresponding to j(0) = or j(0) = 1728 
accordingly (see discussion before Theorem [2]) and terminate. Otherwise construct a Z-basis of the 
sublattice O t , and set n = 1, k = 0, C = and G(X) = 0. 

(2) Find y n £ O t such that y n is primitive (so y n 7^ 0) and y n 7^ ±y, for all 1 < i < n, and such that 
Nr(y„) is minimal over all such possible y n . 

(3) Set d n = Nr(y„). If p divides Aq,/^q, set e — 2, otherwise set e = 1. If d n = d n -\ set k = k + e, 
otherwise set k = e - 1. If e = 2 and'fc = 1, set G(X) = gcd(G(X), H- dn (X), H'_ dn (X)) £ ¥ P [X]. 
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Otherwise set G(X) = gcd(G(X), H [ _jjX)) e F P LY], where H ( _jjX) is the fc-th derivative of 

H_ dn (X), and H { °l(X) = H_ dn (X). 

(4) If G(X) is either linear, or quadratic and irreducible over F p , output G(X) and terminate. If C = 1, 
or if n = 2, 15 < d\ and d\di < ^§p, proceed to Step [5J Otherwise set n = n + 1 and return to 
Stepd 

(5) If n — 2, set C = 1, n = 3 and y$ = yi ± j/2, where +/— is chosen to minimize Nr(ys). If n = 3, set 
n = 4 and j/4 = ?/i ± j/2, such that 2/4 7^ 2/3. If n = 4, set n = 5 and find 7/5 outside the sublattice 
(j/1,2/2) such that Nr(y5) is minimal. Return to Step[3] 

If the conditions (|3.1|) hold (e.g., if j(0) € F p ) then the algorithm terminates. Furthermore, in this case we 
only need to consider n < 5 (this is the reason for the addition of Step [SJ which otherwise seems completely 
unmotivated). 

We hope that the algorithm terminates in all cases, but we do not have a proof of this (see discussion in 
the following paragraph). We note that since d\ in Step [5] is simply the first successive minima of O t , it 
must satisfy d\ < p (otherwise we contradict (|3.2p ) . Hence by Theorem 2' of Kaneko [H] (namely, that if 
there are two different embeddings of Z[(d + Vd)/2] into O then d 2 > p 2 ) and Theorem [2] above, H-d x {X) 
is square-free, and hence so is G(X) after the first iteration of Step [3] Along with Theorem [21 this implies 
that if it terminates, Algorithm 1 does compute the correct minimal polynomial of j(0). The reason for 
taking the derivative in Step [3] is to take into account the case of multiple roots of H-d„(X), i.e., when 
9o T {dn) > 2, or when p divides Aq^^^)- 

Let us temporarily stop the algorithm for some n > just after Step [31 and for simplicity, let us assume 
that d n -i 7^ d n . Consider the polynomial G(X). One of its roots (or two in the case of a conjugate pair) 
will be the desired j-invariant j(0). If j(0') is another root of G(X), what can we say about the associated 
maximal order O'l It must be the case that Q' OT (k) < 6' , T (k) for all integers k < d n _i, in which case we 
say that O lT optimally dominates O t up to d n -\. If the algorithm never terminates, it is clear then that 
there must exist a maximal order O' such that 9' OT (k) < 0' o , T {k) for all k > 0, i.e., O lT optimally dominates 
O t up to b for all b > 0, in which case we simply say that 0' T optimally dominates O t . So the question of 
whether Algorithm 1 terminates, and if so, under what running time, is equivalent to the question of whether 
there exists another maximal order O' C B p , of a different type to 0, such that O lT optimally dominates 
O t , and if not, what is a bound b > such that 0' T does not optimally dominate O t up to b for all other 
maximal orders O' C B p . We suspect that such an order O' does not exist and we propose the following two 
conjectures. 

Conjecture 1. There do not exist two maximal orders O, O' C B p of different types such that O lT optimally 
dominates O t . 

Conjecture 2. There exists a bound b — 0(p) such that for all maximal orders O, O' C B p of different 
types, O lT does not optimally dominate O t up to b. 

5.1. Analysis of Running Time. We discuss each step of Algorithm 1 individually. We now assume that 
conditions (|3.1[) hold and so we know the algorithm terminates. 

Step [1] and [2j The units of O are easily found and so the first part of Step [T] poses no problem. We observe that 
O t = (vx,V2,V3) is a 3-dimensional sublattice of O — (1, u%, 112, 1*3), where {i>i, «2, i>3} can be given 
explicitly in terms of {ui, 112, U3} as in the proof of LemmaO Hence constructing O t in Step[T]and 
searching for short elements y n of O t in Step [5] can be done using standard lattice techniques in 
polynomial time. 

Step[3j Several algorithms exist to compute H-d n (X), see, for example, Belding, Broker, Enge and Lauter [2] 
or Sutherland [17j. Under the generalised Riemann hypothesis, H-d ri (X) can be calculated in 0(d n ) 
time. It is known that deg(i?_d„ (X)) = h-d„, the class number of the imaginary quadratic order 
Z[|(<i n + V=^)]. 

To compute the gcd of G(X) and H-d n (X) in Step [3] when deg(G(x)) > 1 we use a quasi-linear 
method (see, for example, Section 8.9 of Aho et al. PQ or Section 11.1 of [H]). Hence, this stage can 
be done in 0(h-d n ) operations in F p . By Lemma 1 of [2], we have h-d n = 0(\/d^\ogd n ), and so 
the gcd computation can be done in 0(d^ 5+£ ) field operations. 
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As a result, we see that the limiting step of Algorithm 1 is the calculation of H_d n (X), which is bounded 
by 0(d}+ e ). By [pT6]) . Di,D 2 ,D 3) Nr(x + y) and Nr(x - y) are all 0(p). It follows that the running time of 
Algorithm 1 under conditions (|3.1[) is 0(p 1+e ) field operations. We note that under conditions (|3.1[) . (|3.7[) 
also implies -D3 > |p, so if D 3 is needed we should not expect to have a faster running time. 

More generally, if we no longer assume conditions (13.11) . then the 0(p) bound on the norms is Conjecture^ 
To analyse the running time of Algorithm 1 in the general case under Conjecture [3J we must bound the 
number of elements of O t with norm less than b, i.e., the largest possible value for n in the algorithm 
(under conditions (|3.1j) we knew this was n < 5). Let B r be the ball of radius r in R m centered at the 
origin. A special case of a result due to Henk [10] is that for any lattice L of M. m with successive minima 
Di, D 2 , . . . , D m , it holds that #(L n B r ) < 2™" 1 n™ 1 + lj . Equation implies D 3 > D 2 > 

so taking r — \J~b~ and b — 0(p) gives #{a: € O t | Nr(x) < b} — 0(p°' 5 ). This means n < O(p 5 ) and, since 
di < b — 0(p) for every 1 < i < n in Step[3l we obtain a running time of 0(p +e ) field operations under 
Conjecture [2j 

We remark that by itself Conjecture [T] is equivalent to the fact that Algorithm 1 halts for every maximal 
order O, but it does not allow us to make any statements about its running time. We hence stress that even 
termination is conjectural without assuming conditions (|3.ip or Conjecture Q] 

Lemma [T] also tells us that DiD 2 < ^-p will always hold when j(0) £ ¥ p . As remarked before, by finding 
an element tt £ O such that tt 2 — —p, we can tell if we are in the case when j(0) £ ¥ p . Hence, provided that 
it is computationally easier to determine the existence of such an element than to run the algorithm until 
n = 5, we could determine before running the algorithm if indeed j(0) £ ¥ p . Unfortunately, the number of 
supersingular j-invariants in F p 2 is approximately p/12, and of these, only H{—Ap) = 0(^fp\ogp) lie in ¥ p , 
where H(—4p) is known as the Hurwitz class number (see, for example, Theorem 14.18 of Cox [5j). This 
shows that for a random maximal order O C B p , we definitely do not expect that j(0) £ ¥ p . 

5.2. Algorithm to match all supersingular j-invariants with all maximal orders. In [4], Cervino 
proposed an algorithm that, given a prime p, associates to every supersingular j-invariant of F p 2 the corre- 
sponding maximal order type of B p . This is different to Algorithm 1 in that it deals with all j-invariants at 
once. Cervino states that his algorithm has running time 0(p 2 5 ) operations but no explanation for this is 
given in the paper and, as far as we can tell, the algorithm he presents is actually at best 0(p ) field oper- 
ations. To recall, Cervino computes, on one side, a list of all 0(p) maximal orders and, for each such order 
0, the set r(O) = {(Tr(a), Nr(a)) : a £ O, Nr(a) = 0(p)}. On the other side he computes a list of all 0(p) 
supersingular elliptic curves and, for each, the set A(E') = {(Tr(</>), deg(</>)) : (f> £ End(£'), deg(0) = 0(p)}. 
Computing T(0) appears to require running over the 0(p 2 ) elements in the Z- module of rank 4, hence 
requiring 0(p 2 ) work, at best. Cervino suggests to compute A(E) using Velu's formulae (and this seems to 
require 0(p 3+£ ) field operations), but one can probably improve this to 0{p 2+e ) operations using evaluated 
modular polynomials &d{j(E),y) £ ¥ p [x], computed using Sutherland's algorithm [18J. Hence, it seems 
possible to improve Cervino's algorithm so that it requires 0(p 3+e ) field operations. 

We propose an alternative algorithm to solve this problem. The main idea of our method is to replace 
isogeny computations, for a very large set of isogenics, by gcds of Hilbert class polynomials. This leads to a 
complexity of 0(p 2 ' 5+e ) field operations. 

If we consider the sub-problem of matching supersingular curves over F p with their maximal orders, it 
seems that Cervino's algorithm can be adapted to handle this case with complexity 0(p 2 ' 5+e ) field operations. 
Our method for this case has the improved complexity 0(p 15+£ ). 

Cervino's proof that the algorithm halts within a bounded running time uses a result of Schiemann 
(Theorems 4.4 and 4.5 of [TS]) that two ternary forms with equal theta series are integrally equivalent. In 
our case, this translates to: if O t and O lT represent the same integers with the same multiplicity, then it 
follows that O t ~ 0' T , and hence by Lemma [SJ we have that O and O' are of the same type. Furthermore, 
Schiemann gives a bound b in terms of the successive minima D\, D% and D3 of O t , such that if O t and 
O lT represent all integers k < b with the same multiplicity, then indeed O and O' are of the same type. For 
our purposes we may take b — 3Z?3, which gives b < 6p using (|3.6p . although much better bounds are given 
in Schiemann's general result. 

It is not difficult to see that O t and >T represent the same integers with the same multiplicity if and 
only if they optimally represent the same integers with the same optimal multiplicity. This is because every 
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representation x <G O t of k E Z can be decomposed uniquely as x = cy, where y € O t is optimal and c is a 
positive integer. More specifically, we have the following: 

Lemma 13. For any bound b > 0, it holds that 6qt (k) = 9q,t (k) for all k < b if and only if B' OT (k) = 0' o , T (k) 
for all k < b. 

We now present our alternative to Cervino's algorithm in the general case of all supersingular curves over 
F p2 . 

Algorithm 2 

Input: Prime p > 2. 

Output: The list of pairs (Oi, Ki(X)), . . . , (Ot , K tp (X)), where t p is the type number of B p , and for all 
1 < i < t v , Oi are representatives of the distinct maximal order types of B p , and Ki(X) is the minimal 
polynomial of the supersingular j-invariant(s) j(Oi). 

Procedure: 

(1) For all 1 < i < t v , compute a Z-basis of Oi and Of , find the successive minima D\, D\ and D\ of 
Of, and set D 4 = 0. 

(2) For every 1 < i < t p run Algorithm 1 on Oi up until it either halts normally or until we reach n such 
that d n > 6p. If Algorithm 1 halted normally, let Ki(X) be its output, store the pair (Oi, Ki(X)), 
and set D; = 1. Otherwise let Gi(X) be the current polynomial after Step [3] of Algorithm 1, and 
store the pair (Oi,Gi(X)). 

(3) For all 1 < i,j < t p such that — and T)j = 1, remove from Gi(X) all common factors with 
Kj(X). If Gi(X) is now either linear, or quadratic and irreducible over F p , let Ki(X) = Gi(X) and 
store the pair (Oi, Ki(X)) and set Dj = 1. 

(4) Repeat Step [3] until Dj = 1 for all 1 < i < t p . Output the list of pairs 

(0 1 ,K 1 (X)),...,(O tp ,K tp (X)). 

The correctness of Algorithm 2 is guaranteed by the correctness of Algorithm 1. Furthermore Algorithm 2 
is always guaranteed to halt, which may seem surprising given that the same is not true for Algorithm 1 
in the general case. To see that Algorithm 2 does always halt, we define a transitive order < on the set of 
maximal order types as follows: Oi ^ Ok if and only if Ok optimally dominates Oi up to 6p (meaning that 
fl' T (m) < 0' T (m) for all 1 < m < 6p). 

We observe that if Oi ^ Ok and Ok d Oi, then both orders Oi and Ok represent the same integers up to 
6p with the same optimal multiplicity, and so it follows by Schiemann [15] and Lemma [T3] that they are of 
the same type, i.e., Oi = Ok- Hence ^ is a partial order on the set of maximal order types {Oi, Oi, Ot }■ 

Now consider that we have just finished Step [5] of Algorithm 2 and consider 1 < i < t p such that = 
(if Di = 1 for all 1 < i < t p then the algorithm clearly terminates without even performing Step [3]). 
WLOG assume i = 1. From the remark following Algorithm 1, we know G\(X) is square-free and so before 
performing Step [3] we can write 

G x (x) = (x-j 1 )(x-j 2 )---(x-j k ), 

where the j-invariants j\,j2, ■ ■ ■ ,jk are all distinct and represent at least two different maximal orders i.e., 
we don't have k — 1, nor do we have k = 2 and j\, j% form a conjugate pair. WLOG assume that O(ji) = 0\ 
i.e., ji is the correct j-invariant associated with 0\, and likewise that 0(j-z) = 02,0(js) — O3, etc.. 

Since the roots j'2, j'3, . . . , jk were not removed from G\(X) when we ran Step [21 this implies that 
02, 03, . . . , Ok all optimally dominate 0\ up to 6p, i.e., we have 0\ -< Oi (meaning that 0\ -< Oi and 
Oi ^ Oi) for all 1 < i < k. 

Assume now that Di never becomes 1 after any number of repetitions of Step [3] This implies that one of 
D2, D3, . . . , Dfc always remains as well, since otherwise the roots j2, J3, ■ ■ ■ ,jk would ultimately be removed 
from G\(X) with enough repetitions of Step [3] WLOG assume that D2 always remains 0. But now the 
same argument applies to D2, and there must exist another index 1 < i < t p such that O2 -< Oi and that 
T)i always remains 0. 
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Hence we can find an ascending chain 0\ < O2 < Oi < . . . such that that Di, D2, Di, ... all remain 0. 
However every ascending chain clearly has an upper bound, so let us take 0\ < O2 -< Q% -< ■ ■ ■ -< O n , where 
Di, D2, Di, . . . , D„ all remain 0, and such that we cannot find another order O m such that O n -< O m and 
D m always remains 0. But this implies that D„ ultimately becomes 1 after a finite number of repetitions of 
Step [31 which clearly leads to a contradiction. It follows that eventually becomes 1 for every 1 < i < t p , 
which is equivalent to Algorithm 2 halting with the correct output. 

To analyze the running time of Algorithm 2, we start by looking at Step [21 By the same argument as in 
the analysis of the running time of Algorithm 1 (there under Conjecture [5J) we conclude that Step [2] can be 
done in time 0(p 1-5+e ) for every 1 < i < t p . Since t p is approximately p/24, Step [2] can be done overall in 
time 0(p 2 - 5+£ ). 

By earlier discussion and results from Cerviiio |4j , Steps [I] [3J and 2] can be done within this running time 
also. Hence the overall complexity of Algorithm 2 is 0(p 2 ' 5+£ ). We stress that in contrast to Algorithm 1, 
Algorithm 2 is guaranteed to always halt within this running time irrespective of Conjectures Q] and [2] 

Finally, we remark that Algorithm 2 can be restricted to the case when j(O) € ¥ p . It is possible to 
enumerate in StepQ]the maximal order types 0i,02, ■ • ■ ,Oh(-4p) whose j-invariants lie in ¥ p in 0(p°' 5+£ ) 
field operations (T3] . From the analysis of Algorithm 1 under conditions (|3.1[) , we know that Step [5] of 
Algorithm 2 can be done in time 0(p 1+e ) for every 1 < % < H(—ip). Since H(—Ap) = O(p ' 5+£ ), this leads 
to a complexity of 0(p 1 ' 5+£ ) in this restricted case. 
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Appendix A. Two Examples 

We demonstrate two examples of how Algorithm 1 runs, which were both constructed using the software 
package Magma [3J. 

Example 1. Let p — 61. The quaternion algebra Bqi is spanned by {1, k} where i 2 — — 61, j 2 = —7 and 
k = ij = -ji. 
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It can be checked that 

(\ 1 \ /ll 1 \ /ll 3 1 

is a maximal order of £> 61 . 

We construct C T and find that its shortest element is yi = j. We set di = Nr(yi) = 7, and 

G(X) = H_ dl (X) = H_ 7 (X) = X - 41 g ¥ 61 [X]. 

We conclude that the j-invariant associated to the maximal order O is j(0) = 41 € F p . 

Example 2. Letp = 20063. The quaternion algebra B20063 is spanned by {1, k} where i 2 = — 20063, j 2 = 
— 1 and k = ij = —ij. We take O as the maximal order in -B20063 with Z-basis 

1 1 13615, \ „ / 1 151 1109113, 



O = 1 - H j H fc + Z i H 7 H k 

\2 16 J 16 / V512 4096' 7 4096 

(1 13615 \ 
g.7 + — g— fe) +2048Zfc. 

We construct C T and begin searching through its short elements. We find 

11 8323 51 
Vl ~ 64* " ^iT- 7 + 512^' 

which gives 

dj = Nr(yi) = 1056, 

and 

= H_ dl (X) = H- W5e (X) e F 2 oo63[^], 

where deg(H- 1056 (X)) = 16. 
Next we find 

67 52101 85 , 

119 = 1 H 7 k, 

y 256 2048 J 2048 ' 

which gives 

d 2 = Nr(y 2 ) = 2056, 

and 

G 2 (X) = gcri(Gi(X),fl-_2066pO) = X 3 + 8728X 2 + 8070X + 5035 e FaooeaW, 

where deg(.ff_2056p0) = 16. 
Next we find 

23 85393 289 , 

y 3 = 1 H 7 k 

y 256 2048 J 2048 

which gives 

d 3 = Nr(y 3 ) = 2300, 

and 

G 3 (X) = gcd(G 2 (X), H_ 2300 (X)) =X 2 + 2748X + 6627 = (X - a)(X -a) € ¥ 2Q063 [X], 
where deg(H- 23 o (X)) — 18 and a, a form a conjugate pair. 

Hence we conclude that O corresponds to a conjugate pair of supersingular j-invariants, j(0) = a, a with 
minimal polynomial X 2 + 2748X + 6627 over F20063- 
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